0.192-5

- Enable debuginfod IMA verification - Add elfutils-0.192-fix-configure-conditional.patch Resolves: RHEL-71791
2024-12-18 13:54:52 -05:00 · 2024-12-18 13:54:52 -05:00 · e417bd7b75
commit e417bd7b75
parent f476133c96
2 changed files with 45 additions and 2 deletions
--- a/elfutils-0.192-fix-configure-conditional.patch
+++ b/elfutils-0.192-fix-configure-conditional.patch
@ -0,0 +1,26 @@
+From fb4753feb0ed7e3387f52b54bb02c6c74aac6a3e Mon Sep 17 00:00:00 2001
+From: Aaron Merey <amerey@redhat.com>
+Date: Tue, 29 Oct 2024 14:54:10 -0400
+Subject: [PATCH] Fix ENABLE_DEBUGINFOD_IMA_VERIFICATION always
+evaluating to false
+
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f191488..3d2d3ee 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -892,7 +892,7 @@ AS_IF([test "x$enable_debuginfod" != "xno"],AC_DEFINE([ENABLE_DEBUGINFOD],[1],[B
+ AM_CONDITIONAL([DEBUGINFOD],[test "x$enable_debuginfod" = "xyes"])
+ AS_IF([test "x$enable_debuginfod_ima_verification" = "xyes"],AC_DEFINE([ENABLE_IMA_VERIFICATION],[1],[Build IMA verification]))
+ AS_IF([test "x$have_libarchive" = "xyes"],AC_DEFINE([HAVE_LIBARCHIVE],[1],[Define to 1 if libarchive is available]))
+-AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "$enable_debuginfod_ima_verification" = "xyes"])
+AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "x$enable_debuginfod_ima_verification" = "xyes"])
+ AM_CONDITIONAL([OLD_LIBMICROHTTPD],[test "x$old_libmicrohttpd" = "xyes"])
+ 
+ dnl for /etc/profile.d/elfutils.{csh,sh}
+-- 
+2.47.0
+
--- a/elfutils.spec
+++ b/elfutils.spec
@ -4,7 +4,7 @@

 Name: elfutils
 Version: 0.192
-%global baserelease 4
+%global baserelease 5
 Release: %{baserelease}%{?dist}
 URL: http://elfutils.org/
 %global source_url ftp://sourceware.org/pub/elfutils/%{version}/
@ -48,6 +48,7 @@ BuildRequires: pkgconfig(sqlite3) >= 3.7.17
 BuildRequires: pkgconfig(libarchive) >= 3.1.2
 # For debugindod metadata query
 BuildRequires: pkgconfig(json-c) >= 0.11
+BuildRequires: jq

 # For tests need to bunzip2 test files.
 BuildRequires: bzip2
@ -60,6 +61,12 @@ BuildRequires: curl
 # For run-debuginfod-response-headers.sh test case
 BuildRequires: socat

+# For debuginfod rpm IMA verification
+BuildRequires: rpm-devel
+BuildRequires: ima-evm-utils-devel
+BuildRequires: openssl-devel
+BuildRequires: rpm-sign
+
 # For eu-stacktrace
 %if %{enable_stacktrace}
 BuildRequires: sysprof-capture-devel
@ -95,6 +102,9 @@ Patch2: elfutils-0.192-libelf-static.patch
 # Fix eu-stacktrace LTO build error.
 Patch3: elfutils-0.192-stacktrace-lto.patch

+# Fix configure.ac setting ENABLE_DEBUGINFOD_IMA_VERIFICATION.
+Patch4: elfutils-0.192-fix-configure-conditional.patch
+
 %description
 Elfutils is a collection of utilities, including stack (to show
 backtraces), nm (for listing symbols from object files), size
@ -327,7 +337,9 @@ trap 'cat config.log' EXIT
 %if %{enable_stacktrace}
 	--enable-stacktrace \
 %endif
-	--enable-debuginfod
+	--enable-debuginfod \
+	--enable-debuginfod-ima-verification \
+	--enable-debuginfod-ima-cert-path=%{_sysconfdir}/keys/ima
 trap '' EXIT
 %make_build

@ -472,6 +484,7 @@ fi
 %{_mandir}/man7/debuginfod*.7*
 %config(noreplace) %{_sysconfdir}/profile.d/*
 %config(noreplace) %{_datadir}/fish/vendor_conf.d/*
+%{_sysconfdir}/debuginfod/*.certpath
 %if "%{?dist_debuginfod_url}"
 %config(noreplace) %{_sysconfdir}/debuginfod/*
 %endif
@ -513,6 +526,10 @@ exit 0
 %systemd_postun_with_restart debuginfod.service

 %changelog
+* Fri Dec 13 2024 Aaron Merey <amerey@redhat.com> - 0.192-5
+- Enable debuginfod IMA verification
+- Add elfutils-0.192-fix-configure-conditional.patch
+
 * Tue Oct 29 2024 Aaron Merey <amerey@redhat.com> - 0.192-4
 - Install fish profile script unconditionally